Matter No.: 12221-026001 Page 1 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 2 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 3 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Non-TCP 



TCP 



Synch packet is the client 
Synch_ack packet is the server 



Identify source that uses the 
lowest number port of the pair 

of hosts and assume 
that source is the server, 23 e 




list 



Identify source that 
sent synch_ack, 23d 



FIG. 2A 



Matter No.: 12221-026001 Page 4 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



o 
ro 
v-T 
o 

CO 
CO 
CD 

o 
o 





Matter No.: 12221-026001 Page 5 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




sjsoh eojnos 



Matter No.: 12221-026001 Page 6 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 7 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



J 



fa 



co 



CO 



fa 



0> 

s 

H 



© 

© 



> 

CO 



cu 

© 
u 

5- 

CO 



3 « ^ 



£ ON ^ 



3 "> 1 



S « ^ 



^ ■/> 



o 

CO 



CO 
t- 1 



co 



CO 



CQ Oh 



go 



O 



3 « ^ 



S *> n 



2 « ^ 



£ ^ n 



3 ^ 



• • 
fa 

U 

b 

CO 
CO 



o 

CO 



CO 



o 

CO 

co 



PQ fa 



CO 



O 
U 



u 

OS 



< 
o 



©■ © © 



© © © 



© © © 



© © © 




IT) 

d 



Matter No.: 12221-026001 Page 8 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 9 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 

) 





b 

I— I 



Matter No.: 12221-026001 Page 10 of 42 

Applicant(s): Unknown at this time _„,..«..„, 
FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



FIG. 8 



39 




N 



Matter No.: 12221-026001 Page 11 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



50 



Track moving average, 5 1 




r 



Track variance of parameter, 52 




yes 



Collect anomalies into 
events, 54 



Send event reports, 55 



FIG. 9 



Matter No.: 12221-026001 Page 12 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



56 



Traverse connection table, 56a 



Identify and correlate anomalies 
by examining connection 
patterns, 56b 



Determine event, 56c 



Determine event severity, 56d 



.Report event, 56e 



FIG. 10 



Matter No.: 12221-026001 Page 13 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



60 




Analyze byte and packet 
counts, 62 



(^exiT^) 




Iterate over connected 
hosts to determine 
possible attackers, 64 



FIG. 1 1 



Matter No.: 12221-026001 Page 14 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



83 




yes 



Use variance to 
determine 
if under attack, 63c 



no 



Compare measured 

inbound 
Rate to historical, 63b 




Incoming 
packet count above 
threshold, 63e 



No 



yes 



Increase severity of 
reported event, 63 f 



FIG. 12 



1 


r 


Report event, 63g 



Matter No.: 12221-026001 Page 15 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



70 



FIG. 13 



Host pair added to time-slice 
connection table, 71 




1 


yes 

r 


Access time slice table, 73 




f 

^^^^ no 


<T Find new pair, 74? — 




yes 




yes 



Flag as scanner, 78 



Matter No.: 12221-026001 Page 16 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



80 



Access connection table, 82 



Examine host pairs in a scan, 83 



Reconstruct path used 
by worm, 84 



Examine ports used by 
worm, 85 



Determine exploited services, 86 



FIG. 14 



Matter No.: 12221-026001 Page 17 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 18 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



90 




Examine host pairs from 
connection table, 92 




no 



Apply other indicia to 
determine if unauthorized 
access, 96 



Apply indicia that can 
decrease severity of event, 98 



Send event, 99 



FIG. 16 



Matter No.: 12221-026001 Page 19 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



100 




Determine 
if one Host has transmitted/ 
received at least N 
jackets before, 106 



no 



FIG. 17 



Indicate Host as a new Host, 108 



Matter No.: 12221-026001 Page 20 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



J 



110 



Receive statistics on a Host 




no 



yes 



Determine 
if ratio of standard deviation rate to mean 
rate of server response packets 
is less thanR, 114 



yes 



Indicate Host as a failed Host, 116 



FIG. 18 



Matter No.: 12221-026001 Page 21 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 22 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 23 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



200 




Form groups of nodes according 
to connection patterns, 200a 



FIG. 21 



Merge groups into larger groups 
according to connection habits, 
200b 



Matter No.: 12221-026001 Page 24 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



construct a k-neighborhood 
graph, 212 

200a 



identify bi-connected 
Components (BCC) in 
the k-neighborhood graph, 214 





f 


assign nodes contained 
in one BCC to a new group, 216 




vertices representing those 
hosts are removed, 220 



replace vertices with one vertex 
representing the entire group, 222 



FIG. 22 



Repeat until the groups 
are large enough, 224 



Matter No.: 12221-026001 Page 25 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



230 



generate a connectivity 
graph, 232 



build ^-neighborhood graph, 234 



remove group nodes from 
k- neighborhood graph, 236 



Generate bi-connected 
components, 238 



replace in the connection graph 
the nodes in e by a new group 
node containing 
those nodes, 240 



label a group G by a pair 
including a unique identifier, 242 




Matter No.: 12221-026001 Page 26 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 27 of 42 

Applicant(s): Unknown at this time rtnnnT1 ^ KIC 
FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



200b 




Determine group pairs 
that meet connection and 
similarity requirements, 254 



append a triple (Gl, G2, s) 
to a list of edges, 256 



sort triples in list 
of edges based on s - values, 258 



Form a new group, 260 



assign to be the minimum 
number of connection 
pairs a host has, 262 



clear the list of edges, 264 




exit 



FIG. 25 



Matter No.: 12221-026001 Page 28 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



270 



receive two sets of results 
produced by the grouping 
process, 272 



Correlate two results, 274 



FIG. 26 



Matter No.: 12221-026001 Page 29 of 42 

Appiicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



200b 




compare results of two executions 
of grouping algorithm, 282 



Update the ID set, 284 



correlate the ID's 
of the two sets, 286 



assigns ID according to the 
highest degree of similarity,288 



FIG. 27 



Matter No.: 12221-026001 Page 30 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



200b 



remove differences between 
the two host sets, Ht and Ht-1 
290 



compare the connection 
patterns of the hosts, 292 



computes a set of 
nodes at time t-1 but 
removed at time t, 
and a set of nodes that 
only appear at time t, 294 



determine similarity, 296 



determine if groups 
are the same, 298 



Matter No.: 12221-026001 Page 31 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 32 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 33 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



Provide list of events, 319a 



User selects event, 319b 



User snoozes event, 319c 



FIG. 31 



Matter No.: 12221-026001 Page 34 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 35 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




CN 

m 



Matter No.: 12221-026001 Page 36 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



Mi 

1 



o 

1 

flu 

! 
I 

o 
Z 

SI 1 2 




"6 
S 
P 



ill 

<5 <3 
* kA wt 

o ^ 

in 

tit 
ill 

— car 



CL 

o 

a> 
a 
a> 

& 

o 

CL 

£ 



o 



CO 



to 



m x xx x 



XXX X X 



- - u 



tew 



X XX X X X 



XX X XX X X X 



|| X XX X X 



xxxxxxxxx 



xxxxxxxx 



I 



nil 



ill 

;S2 



3 



X X 



XX 



CM C>i 



£ <fl g 

ffi 

[Iff*] 



1 



8 



i 












! 


1 






J 


















5 





oft 

: ?2L J.,- 



Matter No.: 12221-026001 Page 37 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 

) 









m 








11 


i 




V- 





II 






■I; 










iijjjHjjs 


' "' 










n 








w 






w 






w 










1" 


















2 
a 


; | 




;■ ^5:.i::C= ; i!:V : -'l' :: '- 





If 



Matter No.: 12221-026001 Page 38 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 39 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



$1 



I 

til 



•a 



i 

MM 

m 

■51-v 




s 

c 
o 



I 

s. 

2 
c 

E 

i 



£ 

St 



2 
a. 

* 
o 

I 

o 
Z 

B- 

|| 

El 



Matter No.: 12221-026001 Page 40 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




Matter No.: 12221-026001 Page 41 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 



I 

[71 ; 

i ■ 



IS 



m 



• a 



ill 

it 

c '1 



i s 



o 

§ 

C5 

E 
o 

< 




o 



Matter No.: 12221-026001 Page 42 of 42 

Applicant(s): Unknown at this time 

FEEDBACK MECHANISM TO MINIMIZE FALSE ASSERTIONS 
OF A NETWORK INTRUSION 




o 

CO 



